Setting Up A Centralised Authentication Server With Sudo Access Using LDAP
Scope This document will cover setting up a Centralized Authentication Server with SUDO access using OpenLDAP & clients to authentication from the server. This is very practical document. This has been tested on Linux & Solaris. It will not explain what is LDAP and it's theory, as it can be easily found at various locations. During the set up process, it was found that there is no centralized place where one can get all steps for setting up this server. One has to search at various places for minor things. Therefore, this compilation covers all the steps while setting up this server as has been defined above. Operating Systems Used * Fedora Core-4 Linux * Solaris 9. Setup OpenLDAP Server: Installing OpenLDAP on Solaris Server # Download OpenLDAP software for Solaris 9 or 10. Gunzip it. # sudo pkgadd –d # But I will prefer to download tarball from openldap.org. Then compile and install it. For more references see www.openldap.org # If you install it by “pkgadd” then by default ldap’s config files, schemas will be in “/usr/local/etc/openldap” and “slapd” in /usr/local/libexec/” Installing OpenLDAP on Linux Server # Download tarball from openldap.org. Untar it, & go to that that newly created directory and give following commands: # ./configure # make # make install # In Debian type distros you can use “apt-get install openldap” or “apt-get install slapd” # Please get the detail installation procedure on www.openldap.org Configuring OpenLDAP server: In my example: # Configuration files are in ----> /usr/local/etc/openldap # Database Directory ----> /var/lib/openldap # “slapd” binary is in ----> /usr/local/libexec # ldap binaries like ldapadd ----> /usr/local/bin/ # “slapadd” binary ----> /usr/local/sbin Note: These file locations can be different for you. # Changes in /usr/local/etc/openldap/slapd.conf: include /usr/local/etc/openldap/schema/core.schema It will be default. Just add below given “schema” lines include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/java.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/ppolicy.schema database bdb suffix "dc=example,dc=com" rootdn "cn=admin, dc=example,dc=com" directory /var/lib/openldap/ It will be default. You can change as per your need. Please create that directory # Check that slapd.conf file is ok or not with following command: # /usr/local/libexec/slapd –T test # Create people.ldif and put following entries in that: dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People # Import /usr/local/etc/openldap/people.ldif offline: # sudo /usr/local/sbin/slapadd –l /usr/local/etc/openldap/people.ldif \ –f /usr/local/etc/openldap/slapd.conf Note : You can add it Online way also. After starting slapd server you need to give following command: # sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/people.ldif \ –D cn=admin,dc=example,dc=com –w secret # Start slapd server. i.e. OpenLDAP server: # sudo /usr/local/libexec/slapd –f /usr/local/etc/openldap/slapd.conf Check whether server is up or not: # ps –ef|grep slapd # netstat –an|grep 389 # Create Group.ldif and put following entries in that: dn: ou=Group,dc=example,dc=com objectClass: organizationalUnit ou: Group # Import Group.ldif online: # sudo /usr/local/bin/ldapadd –x –f \ /usr/local/etc/openldap/Group.ldif –D cn=admin,dc=example,dc=com \ –w secret # Creating passwd.ldif & usergroups.ldif For this you need to download Migration tools which are developed in perl. URL is given below Migration Tool. Untar MigrationTools.tgz in /usr/local/etc/openldap/migrate . For our comfort create directory /usr/local/etc/openldap/ldif_files Copy /etc/passwd & /etc/group to /usr/local/etc/openldap/ Go to /usr/local/etc/openldap/migrate and give following commands: # ./migrate_passwd.pl /usr/local/etc/openldap/passwd /usr/local/etc/openldap/ldif_files/passwd.ldif # ./migrate_group.pl /usr/local/etc/openldap/group /usr/local/etc/openldap/ldif_files/usergroups.ldif Open passwd.ldif and do following changes in that: Replace dc=padl to dc=example Add below give line to each group in passwd.ldif objectClass: shadowAccount Copy each user’s encrypted passwd from /etc/shadow and paste it in below given line userPassword: {crypt} Check path of home directories of users and change according to it in passwd.ldif as per Open usergroups.ldif and do following changes Replace dc=padl to dc=example # Import passwd.ldif & usergroups.ldif # sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/ldif_files \ /usergroups.ldif –D cn=admin,dc=example,dc=com –w secret # sudo /usr/local/bin/ldapadd –x –f /usr/local/etc/openldap/ldif_files \ passwd.ldif –D cn=admin,dc=example,dc=com –w secret # For Sudo access via LDAP add following line to /usr/local/etc/openldap/slapd.conf include /usr/local/etc/openldap/schema/sudo.schema Create /usr/local/etc/openldap/schema/sudo.schema Put below give lines in /usr/local/etc/openldap/schema/sudo.schema attributetype ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributetype ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributetype ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) Note: I have created as per my requirement. You can modify as per yours. Stop slapd server by killing it and start it by above given way. Please recheck whether it is started or not. Create /usr/local/etc/openldap/ldif_files/sudoaccess.ldif and put following lines in it: dn: cn=defaults,ou=SUDOers,dc=example,dc=com cn: defaults sudoOption: ignore_dot sudoOption: !mail_no_user sudoOption: !root_sudo sudoOption: log_host sudoOption: logfile=/var/log/sudolog sudoOption: !syslog sudoOption: timestamp_timeout=10 objectClass: top objectClass: sudoRole description: Default sudoOption's dn: cn=Rule1,ou=SUDOers,dc=example,dc=com cn: Rule1 sudoOption: !authenticate objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoUser: ALL description: Allowed without password for ALL users # Import /usr/local/etc/openldap/ldif_files/sudoaccess.ldif : # sudo /usr/local/bin/ldapadd –x –f \ /usr/local/etc/openldap/ldif_files/sudoaccess.ldif –D \ cn=admin,dc=example,dc=com –w secret # Our OpenLDAP server is ready now. Check with “slapcat” & “ldapsearch” Setup Client to get authentication from LDAP Server: For Linux: # In RedHat you can use authconfig. In that you have to just specify type of authentication as LDAP. And set proper server and base DN. OR # Please replace below given lines in /etc/nsswitch.conf Old Values: passwd:files group: files New Values: passwd: ldap files group: ldap files # Just change in /etc/nsswitch.conf as give above. And do changes in /etc/ldap.conf BASE dc=example,dc=com URI ldap://10.27.6.67:389 Please uncomment following lines nss_base_passwd ou=People,dc=example,dc=com?one nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one # Need to do changes in /etc/pam.d/login: First please check LDAP module is available or not. # ls -l /lib/security/pam_ldap.so Then do following changes in /etc/pam.d/login auth required pam_securetty.so auth sufficient pam_ldap.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_ldap.so account required pam_stack.so service=system-auth password sufficient pam_ldap.so password required pam_stack.so service=system-auth session sufficient pam_ldap.so session required pam_stack.so service=system-auth session optional pam_console.so session required /lib/security/pam_limits.so # For Sudo access you need to recompile & install sudo by below give way: Untar tarball of sudo and in that directory: # sudo ./configure –prefix=/usr/local/sudo –with-ldap –with-ldap-conf-file=/etc/sudo.ldap # sudo make # sudo make install It will install new sudo in /usr/local/sudo. Now we need to use /usr/local/sudo/bin/sudo every time. Create /etc/sudo.ldap. Put following lines in that file: host sudoers_base ou=SUDOers,dc=example,dc=com For Solaris: # Use following commands: # ldapclient manual -a defaultSearchBase=dc=example,dc=com \ -a domainName=test.example.com \ -a defaultServerList=:389 To check use: # ldaplist # Please replace below given lines in /etc/nsswitch.conf Old Values: passwd: files group: files New Values: passwd: ldap files group: ldap files # Create User’s Home directories as per path given in LDAP server configs and set permissions properly. # Changes in /etc/pam.conf login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_ldap.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 #other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_ldap.so.1 other auth required pam_unix_auth.so.1 # # Account management login account requisite pam_roles.so.1 login account required pam_projects.so.1 login account sufficient pam_ldap.so.1 #other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account sufficient pam_ldap.so.1 other account required pam_unix_account.so.1 # # Password management other password sufficient pam_ldap.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # Now try logging in by different users. # For Sudo access you need to recompile & install sudo by below give way: Untar tarball of sudo and in that directory: # sudo ./configure –prefix=/usr/local/sudo –with-ldap \ –with-ldap-conf-file=/etc/sudo.ldap # sudo make # sudo make install It will install new sudo in /usr/local/sudo. Now we need to use /usr/local/sudo/bin/sudo every time. Create /etc/sudo.ldap. Put following lines in that file: host sudoers_base ou=SUDOers,dc=example,dc=com # Now check sudo access for all user. Note: In centralized authentication we can setup user’s home directories on one server and share it with NFS. And on client we will mount it. It will be better as there are not much processes running in home directory so not to worry about CPU usage in NFS and It will be very useful in uploads also.